tv Politics Public Policy Today CSPAN July 15, 2014 3:00pm-5:01pm EDT
engaged in wiretapping and fraud and we'd like to see an amendment to the statute to permit injunctions in other circumstances in which we see botnets operating. then on the issue of the institutional knowledge, the computer crime intellectual property section is really -- it really is the receptacle, that's a bad word but where the knowledge is based. that section had a headquarters compone component, field components and institutional knowledge of botnets so if one prosecutor leaves, the knowledge isn't going to leave. we coordinate regularly with the fbi and there's a lot of coordination, there's a lot of coordination with the computer hacking intellectual property network in the u.s. attorney's offices and there is an institutional base of knowledge about be the notnets so -- >> in a nutshell you feel right now that that task has been adequately institutionalized in
the department that there will be continuity and persistence rather than ad hoc efforts? >> yes. and i think that although they weren't as prominent, there were at least a half dozen other botnet takedowns in the last couple of years between core flood and game over zeus so there's definitely -- it's definitely a priority and a focus and there's a lot of knowledge among the prosecutors and their counter parts at the fbi about the botnets, and they will keep coming and we will keep attacking them. >> yeah. i yield to my ranking member but my impression was that some of those were sort of sporadic and ad hoc takedowns that appeared in individual u.s. attorney's offices and not necessarily consistent with a continuing, lasting, persistent presence stripping down one botnet after another an i'm glad you've gotten to where you have gotten so thank you. senator graham? >> are you the eliot ness of
botnets? >> i think he's the eliot ness of bot nets. >> okay. you try to deter the behavior, make people think if i do this i'm going to get caught. and if i get caught, bad things are going to happen. what do you think the deterrence is like right now, mr. demarest? >> i think it's significant now and maybe in years past maybe not so much and traveled and felt they can take some actions with impunity and we're finding today with the actions, enforcement acts, successful, we're causing impact and see that in other collection, them talking amongst each other and concern about traveling now which is a way of containing some of the threats that we see, individuals today. >> what nation states do we need to worry about in terms of being involved in this activity? >> i would say nation states of eurasia principally. the criminal actors come from that part of the world. >> are they reliable partners,
the nations, the governments? >> we're opening dialogue i will say on that front. i think you would find with some of our russian counterparts in law enforcement are a bit more agreeable but as, you know, any new relationship, i think in especially in this space, we're working toward improving them. >> if it's possible, maybe by the end of the year could you provide the committee with a list of the countries you think are good partners? and the list of countries you think have been resistant? >> yeah. easily done. based on our activities and working with the countries we do work with. >> once we identify them, maybe we can change their behavior. there's all kinds of ways of getting people's attention. was this a problem five years ago? how long has this been a problem? >> this has existed for years. and probably we're just now, you know, that is tip of the iceberg and i think as we get more
sophisticated, internal u.s. government, seeing and being able to identify -- >> what made us aware of it today more than say, five years ago? consequences? >> consequences, victim reporting. major losses occurring to private industry. >> is there any end to this? how far can these people go? >> they'll keep on going. as you can see, each bot will evolve. we take actors off. malware will change. we see a complete evolution. but again, we're actually placing at least there's a price to pay for actually engaging in this activity new. >> are terrorist organizations involved this? >> we track them very closely. i would say there's an interest but much further than that, senator graham, probably a different setting we could give you a further briefing. >> ms. caldwell, on the civil-criminal aspect of this, what are the couple things that you would like congress to do to enhance your ability to protect our nation? i mean, i'm sure you have this
written down somewhere but just for the average person out there listening to this hearing, what are the couple of things you would like to see us do? >> well, one is one i already mentioned which is -- >> my phone off? >> changing the civil injunction ability to have the capability to enjoin botnets other than those engaged in fraud and wiretapping because there are, for example, direct denial of service attacks. we can't get an injunction against that. we would like to do this. >> we need to increase penalties? >> that's an interesting question, senator. and i think that we've been seeing increased penalties being imposed by courts. so -- >> i mean statutorily, do we need to change any statutes to make this bite more? >> i'll defer to ms. caldwell, but -- i'll defer to you. >> yeah. i think that the maximum sentences under most of the statutes are adequate. i don't think we need any kind of mandatory minimums because we have been seeing judges imposing
sentences around the seven, eight, nine-year range which i think is a substantial sentence. there are a couple other things we would like to see that right now there's no law that covers the sale or transfer of a botnet that's already in existence. and we've seen evidence that a lot of folks sell botnets. they rent them out. and we'd like to see a law that addresses that. one other thing which is a little bit off point but i think is still relevant to botnets is we -- right now there's no law that prohibits the overseas sale of u.s. credit cards unless there's an action taken in the united states or unless money's being transferred from overseas to the united states and we see credit card -- situations where people have millions of credit cards from u.s. financial institutions and never set foot in the united states. that's currently not covered by the existing law. >> you could steal my credit card information from overseas and basically be immune.
>> correct. unless you transferred proceeds of the scheme back to the united states. >> okay. one last question here. when it -- when they basically seize your computer, hijack your computer and the information contained therein, they actually hold -- i mean, they ask -- they make a ransom demand? how does that work? >> under crypto locker, what happened and i'm certainly not a technical expert so jump in. you would be on the computer and see something on the screen that told you the files were incrypted and would be unless you paid a ransom and within "x" hours and if you didn't the files would be deleted. >> and a payment made but bitcoin or whatever lish established venue is they expect the payment within a given amount of time and if not it's encrypted. >> do people pay? >> they do. >> what's the biggest payout you have seen? >> well, all things involved,
crypto locker and crypto wall now and a major concern of paying in excess of probably $10,000 but they're focused now more on major concerns, businesses. and entities as opposed to single victims. >> is that extortion under our law? >> yes. >> so you don't need to change that statute? >> no. the problem is, though, that as with a lot of these cyber crimes, most of the people engaged are overseas. >> thank you. >> let me recommends senator kuntz who's been interested and dedicated to this topic and home state is energized on the topic because the delaware national guard actually has a cyber wing that's active and one of the best cyber national guard detachments in the country. i say one of the best because rhode island has one, too. senator kuntz? >> thank you very much. thank you chairman and senator graham. you're great and effective leaders on this issue. to the point raised by the chairman, given the per sis ten
sy of this threat, given it trajectory, its scope, its scale and the resources that you're having to deploy in order to take down these botnets and in order to break up the criminal gangs, is it acceptable, is it possible for us to deal with this threat with a federal law enforcement response alone? do we need a partnership from state and local law enforcement? i assume the answer is yes. how are we doing it? delivering an integrated capability, federal, state and local, first, second? what kind of capabilities do businesses and individuals, does the private sector and citizens have and what are we doing to help scale up that? because the resiliency of our country, the ability to respond to the threats as we all know much as it is with natural disasters or with terrorism threats, requires a sort of everybody engaged response that engages our private sector, engages entrepreneurials and engages state and local and
federal law enforcement. >> sure. thank you, senator kuntz. we have khyber tasks forces throughout the offices, 56 out there. each office is engaging at the local level to bring state and local authorities aboard. net defenders from the organization thai represent. very difficult with resources constrained at the state and local level and appreciating. we kicked off a well spring, defauding the elderly and real estate and bring an investigator or officer aboard or analyst, we work closely with them to foster or develop the skill in this area working cyber crime. it's worked well in the initial offices in salt lake city, with the utah department of public safety. and down in dallas with some of the local department of dallas
police department. we have a long way to go in that space and for them to fully appreciate the threats today facing the public or the citizens they're responsible for. on the private sector, we have worked far and wide and somewhat limited force and focused on those priority sectors if you will most threatened. but we have found time and time again the most threatened and most vulnerable are small to medium-sized business owners with one single person that's responsible for internet security or cyber security and insurance and the like and how to target the band and bring them aboard? we had health care, representatives from the health care industry in the headquarters working through what that relationship would look like with health care and we focused on energy, telecommunications and the like over the past two years and now how do we broaden that effort out? >> implicitly from the reference to health care, as we go to
electronic med ral records, we have data for cyber criminals to go after. ms. caldwell? >> yes. i think -- i'm sorry. i think any online database is vulnerable. some obviously have more security protections than others. and as you indicated, senator kuntz, the health care databases have a lot of sensitive personal information so we've seen i know in some of the botnets that we have seen over the years including if i'm not mistaken game over zeus some of the victims were hospitals so that's a very serious area of concern we're concerned about. >> one other question. as senator whitehouse referenced, we have a warfare squadron of the national guard. they've stood up and grown and developed this national guard capability which takes advantage of the fact that we have a fairly sophisticated financial services community. we have credit card processing and as a result there's a lot of fairly capable and sophisticated
online security and financial services security professionals who can then also serve in a law enforcement and national security first responder context through the national guard. what lessons do you think we could learn from that partnership, that collaboration in our two home states and lead us to a better scale-up of the needed federal workforce to respond to and deal with the law enforcement challenges? >> the treasure trove of skill in the guard and reserve forces. we participated, actually hosted at the fbi academy the cyber guard exercise for 2014. a lot of -- we brought personnel in from around the field, at least 50 from the local cyber it is a forces and local guard units in. great capability there. our director along with deputy director had a meeting with the cyber command, osd an joint staff to better core late or corroborate in the space. tomorrow we have another meeting with the commanders at my level
to put it in place with reserve and guard units. admiral rogers held a meeting up at nsa recently to talk through what that looks like and working with cyber command, the guard forces and reserve forces. and what skills they bring, how that may assist the fbi in our operations and also training opportunity that is we can leverage with one another. >> terrific. thank you for your testimony. i look forward to hearing more of the development of the partnership and thank you for your leadership in this area, senator whitehouse. >> well, i'll let you two go. i'm sure we could ask you questions all afternoon. this is such a fascinating and emerging area of criminal law enforcement. i appreciate very, very much the work that you do and i want you to pass on to attorney general holder my congratulations for the dedication that he's brought to this pursuit, particularly as exemplified by the game over zeus take down and indictment of
the china pla officials, those were both very welcomed steps and i'm looking forward to seeing more criminal prosecution of foreign cyber hackers. i think the opening gambit with the indictment was terrific. congratulations to you both. thank you for your good work, and we'll release you and call the next panel forward.
all right. thank you all so much for being here. this is a really terrific private sector panel on this issue and i'm grateful that you have all joined. i'll make the formal introductions right now of everyone and then go right across with your statements. our first witness is going to be richard boscovich who is the assistant attorney general counsel on microsoft's digital crimes unit. a position where he developed
the legal strategies used in the tickdowns and disruptions of several botnets including the citadel, zeus and zeus access botnets. he previously served for over 17 years at the department of justice as an asis about the u.s. attorney in florida's southern district with the sbe lukt ideal property unit. hearing from cheri macguire from sy man tech corporation, one of the cyber security providers in this country. she is responsible for the global public policy agenda and government engagement strategy including cyber security data integrity, critical infrastructure protection and privacy. before she joined sy man tech in 2010, she was director of critical infrastructure and cyber security in microsoft's trustworthy computing group and before that at department of homeland security including as acting director and deputy
director of the national cyber security division and the u.s. cert. then we'll hear from dr. paul vixie, chief executive officer of far sight security which is a commercial internet security company. he previously served as the chief technology officer for above net, an internet service provider, as and the founder and ceo of maps, the first anti-spam company and as the operator of the fdns root name serve enear author and was the maintainer of bind, a popular open source system for 11 years. and he was recently inducted into the internet hall of fame. finally, i will hear from craig spits l, executive director, founder an president of the online trust alliance. he -- online trust alliance encourages best practices to help protect consumer trust and
he works to protect the vitality and innovation of the internet. prior to founding the online trust alliance, he worked at microsoft again, the fraternity, where he drove development of anti-spam, anti-fbiing, anti-malware and privacy enabling technologies, on the board of the identity theft council and appointed to the fcc's communication security reliability and interopinionerability council and a member of the partnership between fbi and the private sector and experienced and knowledgeable witnesses and let me begin with richard boscovich. we're so glad you're here. thank you. >> chairman whitehouse, ranking member graham and members of the committee, i'm richard boscovich, assistant general council. thank you for the opportunity to discuss microsoft's approach to fighting and detecting bot nets. we also thank you for your leadership in focusing attention to this complicated and important topic. botnets are groups of computers
remotely by hackers without knowledge or consent enabling criminals to steal information and identity, disrupt networks and distribute software and spam. i'll describe how microsoft fights botnets, disrupting the tools and tle carefully designs these operations to protect consumers. to understand the devastating impact of botnets, we can look at how they affect one victim. consider in use power. a chef in the united ding come do found a warning she could not access the files unless she paid a ransom within 72 hours. all of her photos, financial accounting information and other data were permanently deleted. all this was caused by a botnet. she later told the reporter, if someone had robbed my house, it would have been easier. indeed, botnets conduct the
digital equivalent of home invasions but on a massive scale. botnet operators quietly hijack web cams to spy on people in their homes and then sell photos of the victims on the black market. they use malicious software to log every key stroke that they enter on the cuters including credit card numbers, social security numbers, work documents and personal e-mails. they send deceptive messages to appear as though they're sent by banks to convince people to disclose the account information. microsoft has long partnered with other companies and global law enforcement agencies to battle malicious cyber criminals such as those who operate botnets. we do not and cannot fight botnets alone. as the title of the hearing suggests it requires efforts of both the private and the public sector. we routinely work with other companies and des midwestic and law enforcement agencies to
dismantle botnets. our joint efforts dpon strait that partnerships are highly effective as combatting cyber crime. problems as complicated of botnets cannot be addressed without partnerships. microsoft's philosophy is simple. we aim for their wallets. cyber criminals operate botnets to make money. we disrupt botnets underlying the profit of the attacks. microsoft draws on our deep technical and legal expertise to develop carefully planned and executed operations that disrupt botnets pursuit to court approved proceedings. in general terms, microsoft asked for permission to destroy the botnets breaks the connection between the botnets and the computers. traffic generated by infected computers is either disabled or routed to domains controlled by microsoft where the ip addresses of the victims identified.
privacy's a fundamental value. when we execute an operation we are required to work within the bounds of the court order. we never have access to e-mail or other continent of victim communications from infected computers. microsoft receives the addresses used by the infected computers to identify the victims. we give domestic ip addresses to providers in the united states to alert customers directly. we give the rest of computer emergency response teams commonly referred to as serts in country is a then mote if ied of the infections and offered assistance in cleaning the computers. in summary, to the course of an anti-botnet operations, microsoft works to protect millions of people and the computers against malicious siper criminals and led to the disruption of trust on the internet. cyber criminals continue to evolve. they keep developing more
sophisticated tools to proprofit from the chaos that they themselves create. we remain firmly committed to working with other companies and law enforcement to disrupt botnets and make the internet more trusted and secure environment for everyone. thank you for your time, senator, and i'm happy to answer any question you may have. >> ms. mcguire? >> chairman whitehouse, thank you for the opportunity to testify today. i'm especially pleased to be here with you again to focus attention on bot nets and cyber crime and how industry and government are working together to address the serious issues. as the largest security software company in the world, symantec protects information business botnets are the foundation of the ecosystem and as was discussed earlier, the uses for malicious botnets are only limited by the imagination of the criminal bot masters. these can range as you mentioned from distributed denial of
service attacks to bitcoin mining to distribution of malware and spam. bot masters also rent out their botnets as well as use them for stealing passwords, credit card data, intellectual property or other confidential information then sold to other criminals. until now, virtually all botnets have been networks of infected laptops and desktop computers. however, in the past few years, we have seen botnets made up of mobile devices and we fully expect that the coming internet of things will bring us with it a future of thing bots ranging from appliances to home router to video recorders and who knows what else? taking down a botnet is technically complex and requires a high level ofl expertise. law enforcement and the private sector working together have made significant progress in the past several years. the work to bring down the zero access botnet, one of the largest botnets in history at
1.9 million infected devices is a good example of how coordination can yield results. zero access was designed for click fraud and bitcoin mining with an estimated economic impact of dens of millions of dollars lost per year and the electricity alone to run that botnet cost as much as $560,000 per day. one year ago today, we began to sink holes infections which quickly resulted in the detachment of more than half a million bots. this meant that the bots could no longer receive any commands and were effectively unavailable to the bot master for updating or installing new revenue generation malware. another significant win came last month with the major operation against the financial fraud botnet game over zeus as several witnesses testified to. as part of this effort, we worked in a broader coalition to provide technical insights into the operation and impacts of this botnet.
as a result, authorities were able to seize a large portion of the criminals' infrastructure. in our view, the approach used in the game over zeus operation is most successful to date and should be a model for the future. a group of more than 30 international organizations from law enforcement, the security industry, academia, researchers and isps all cooperated to collectively disrupt this botnet. this successful model of public and private cooperation should be repeated in the future. while zero access and game over zeus were successes for law enforcement and industry, there are undoubtedly more criminal rings operating today. unfortunately, there are just not enough resources. as you said, so many botnets, so little time. as criminals, migrate online, law enforcement needs more skilled personnel dedicated to fighting cyber crime. and we take numerous steps to assist crickets of botnets and
cyber crime and aid law enforcement around the world. in the interest of time, i will mention victim voice.org, a new online assistance program that we unveiled in april with the national white collar crime center. this site helps cyber crime victims understand the investigation process. and in particular, i'd like to thank you again, senator whitehouse. it's already helped many victims of cyber crime. in combatting botnets, cooperation is key and the private sector we need to know that we can work with disrupt botnets without undue legal barriba barriers. i'm not talking about a blank check but consistent with protections and parameters, we need to be able to share cyber threat information and coordinate efforts quickly. information sharing legislation will go a long way to do this. but it also must address the considerable privacy concerns and must include a civilian
agency lead and data min mization requirements. last, the law governing cyber crime should be modernized. in the u.s. we need to amend laws such as the electronics communication privacy about and others written before the modern internet and e-commerce was invisioned. in addition, mutual legal assistance treaties and process that allows governments to cooperate take far too long to address the realtime nature. as this subcommittee knows so well, we still face significant challenges in the efforts to take down bot nets and dismantle cyber crime networks. while there remains much work to be done, we have made progress. we're committed to improving online security across the globe and we'll continue to work collaborateively with the customers, governments and industries on the ways to do so. thank you again for the
opportunity to testify today and i'll be happy to answer any questions you may have. >> thank you and thank you for symantec's leadership in this area. i'm going to briefly recess the hearing. we have a vote that started 15 minutes ago and i have 15 minutes to get there and vote so i have zero time and with any luck i vote, vote on the next vote and then come right back and then we'll be able to proceed uninterrupted fashion so please just relax in place. probably going to be five to ten minutes and we'll resume. thank you.
>> so a break in this hearing on crime and terrorism as the chairman sheldon whitehouse just said. a vote now on the floor of the senate. and this hearing will resume after he returns from voting there. a hearing today on cyber crime and the efforts of the government and private industry to stop so-called botnets. we're hearing on this panel from representatives from microsoft, symantec, far sight security and the online trust alliance. our live coverage should continue in a few minutes here on c-span3. while we wait for the resunks of this hearing, we'll show you at least part of a discussion from this morning's "washington journal" on the influx of unaccompanied children crossing the southern u.s. border.
>> the morning, representative jeff dunham of california on the veterans affairs committee. good morning. >> good morning. >> could you give a little bit of your personal take on being from the part of the country you are and parlay that with what's going on with the border? >> sure. i mean, california is a border state that has a much higher immigrant population. you know we are the largest ag state and guest worker programs that worked in the past and have a larger immigrant population because of that, as well. but, i'm also married to a first generation pouerto rican-mexica. it's a personal issue. i helped my father-in-law to help to become legal. we know, you know, from a personal level, but from a community and from a state level that our immigration system is broken.
i think the entire country's starting to feel that now with this border surge that we're seeing with 160,000 unaccompanied minors coming through. now the whole world or the woel nation and the whole world looking at america what to do with this problem? >> the president asking for more almost $4 billion to address the southern border. do you -- what do you think of the figure and do you support it? >> it's a figure that's grown very, very quickly. the president initially said a $2 billion number. you know, i want to see what's in that number. i believe that we absolutely need an appropriation. this is a humanitarian crisis. we have to resolve it quickly. these retense centers popping up across the nation on the military bases and churches and different locations kids are housed in gymnasiums is not a good approach. we need an appropriation to not only deal with the crisis in a humane way but we secure the border in the same round, so i
think we are going to see a bill here very shortly to deal with both. >> do you support sped-up immigration deportation hearings as called for by some? >> i do. the biggest thing to funding this is the courts. that's the smallest amount of funding in the overall bill. i think it takes it to 65 million which would be enough for 55,000 by the administration's numbers, 55,000 cases. well, if we have 160,000 coming in, we obviously need to beef up the courts much, much more than that. doing a catch and release program and sending people back into communities and saying, please show back up in the next couple of years does not work. i think the american public is outraged as this crisis conti e continues on. >> where does speaker boehner stand and do you agree or disagree with the positions he's taken on it? >> he's been supportive. he knows this is something to get done but he will do in it a respectful and mindful manner.
i'm pushing. i want to see top to bottom reform and pushing hard, not only on first securing our border, but secondly, have a guest worker program. we have to have e-verify and talk about the 11.5 million here today that have gone through the schools, that have grown up in our community, that consider themselves americans but do not have a way to work and -- >> what should be done about them then? ones currently here. >> i think multiple different solutions. first of all, the kids going through the schools, brought here to no fault of their own they should have an expedited path. i have the enlist act, for example. i served my country proudly. i served with immigrants. always had immigrants in the military. why not let the best and brightest out of the school system to pass a background check, speak english, meet the military cry tear. to take them and bolster the national defense, why wouldn't we allow them to serve and
there's no better way to show faith and commitment to a country than to serve in the mill tir. >> where's the enlist act going? >> we have a ton of co-sponsors, both sides of the aisle. you know? we're hopeful in this whole debate with border surge and with border protection, that we actually get the enlist act passed at that same time. that will be the first issue that deals with any type of pathway. but obviously, we have 11.5 million here and growing that we need to resolve. this is a multi-generational problem now. this has gone on over 30 years. >> i understand it correctly, the enlist act you worked with kevin mccarthy. >> a co-author. >> do those better your prospects for the acts heard now that he's majority leader? >> i think the biggest challenge is timing and no deadline. this place operates with deadlines. i mean, when there's an ag bill, farm bill coming up, a dairy cliff came up in it.
you know? we always hear about the fiscal cliff. when deadlines hit, congress acts. there is no deadline with immigration and why it's pushed out both by republican and democrat administrations. we are starting the debate now. people realize this is a crisis and because we have a border surge, there's a date certain. we take up the enlist act at the same time and i think it helps break the wedge to talk about the issues and engage the american people, as well. >> talking about the issues, you mentioned those currently here not supposed to be here, sometimes amnesty is tagged to that kind of effortment what does that mean to you or when you hear that term, what do you think? >> when i hear amnesty, i think of a freebie. somebody just to give you a free pass. there is nothing like that in any of the bills that we are seeing right now. we need to have something that's very strong, that follows the rule of law. that has a process and a procedure. i mean, even hr 15 widely debated around the hill here has
a 13-year pathway that has several safeguards to jump through during that 13 years and still following at the back of the line. it just -- you've got to come to realization there are not going to be tons of buses that come and start picking people up. if we have a situation here for 30 years, why not resolve it? >> even this morning in "washington times" senator rubio saying it's the senate's version of the immigration bill not currently stop when's going on at the border today. >> it would not, no. it's two separate problems. we added the mccall border protection bill. so we have got to secure the border. we have to have metrics and measurements to ensure to the american public it is secure before moving through any of the other measures. part of the challenge i think for republicans is the concern that this president might implement different pieces of the law without addressing the
border first. i mean, this is a president that said in 2011 the border is absolutely secured. in fact, he chastised republicans during an elections on how secure the border was. it's obvious the border is not secure today and taking a change in law not only the 2008 law which the president supported on human trafficking but going to take actually putting in the same types of safeguards we have in the southern border in california where you have two fences or cameras or you have got motion detectors. we have all of that between san diego and tijuana. you don't have it in the rio grande and texas and you can put in the measures and we don't have a situation where border patrol can patrol our entire southern border. i mean, just having them having the ability, i mean, in texas, they have got millions of acres of interior and department of forestry property they can't go into and so that seems to be the easiest place to go through is where you know the police or the
border patrol aren't patrolling. >> dejeff denham with us until 8:30. the numbers on the screen. 205-855-3808 for democrats. 202-588-5385 for independents. if you're on the border, your perspective welcomed on a separate line. our first call is from alabama. this is pat on our republican line. go ahead. you are on with the representative. >> caller: thank you. we've got a facility at guantanamo bay where we housed haitian refugees a few years ago. why can't that be used to house these children? we could also help the president eliminate the prisoners there by training them as child care workers and let them earn some money to fly themselves out. the children could be released
from guantanamo when their parents pay for airfare to take them home. thank you. >> pat, thank you for the question. well, first of all, i don't know that i want al qaeda or the taliban that are in guantanamo as the best day care for these kids that are coming across. you know, i think we have got to deal with the crisis in a humane way. you know, certainly housing them in the military bases may be a short-term solution, but 160,000 is such a huge number that guantanamo could only handle a small percentage of that. and california, we have a naval base holding 400. they're doing between 400 and 1,000 per different military installation and now trying to reach out beyond the military inlags i installations to churches or colleges with a gymnasium and the fundamental responsibility i
think of the federal government, first of all, i think the president needs to send a strong message very quickly. it should have happened already dealing with the other heads of state just to say, look, we are going to send your residents back to you. we'll work with you but we can't just continue to have this influx coming across the border. the president should be working with mexico to make sure their southern border is secure. in the past, they have had much stronger policies but in 2008 they changed their policies to give people coming across basically a two-week visa and they realized very quickly that over 80% of the people that were getting the two-week visas were not coming back again. so our partner just like can canada, mexico should be working with us, as well. we have an obligation as congress to secure the border and to appropriate the funds necessary and actually stop this surge once and for all. you know? like pedro said, the immigration bills we have seen would not stop this problem.
so we have got to have a separate bill to deal with not only the 2008 law passed but also making sure that the border is secure. >> mike rogers said that the initial request of 4 billion is a lot of money. where do you see the request going legislateively? >> it's hard to say. it depends on how strong of a bill is in there and we have offsets for that new expenditure. so, i would expect the funding level to go down. but again, i think it depends on everything else that's in that bill. right now the courts is far too low and we want to see actually the border patrol dollars that they're actually going to where the border patrol is tells us they need to go. >> katy, texas, hello, wayne. >> caller: i hear all the time secure the border, secure the border, but yet, nobody comes up with a plan to secure the border. once in a while they'll build a fence or do something.
they just go under it. the only way to secure the border is a minefield along the whole damn border and maybe that will secure it. but nobody -- secure it, secure it. they don't have an idea to secure it. thank you. >> thank you. i think a minefield is a little extreme. but, you know, we're seeing plenty of plans. there is no shortness of ideas here. and mccall bill that has bipartisan support and went out of committee unanimous has the safeguards to make sure that border patrol measuring this with metrics of 90% efficiency of catching everybody comes across. while we talk about 160,000 kids projected to come across in the next year, that's still only 25% of our problem. so we still have a whole other 75% coming across the border today that we need to secure. so, yes. it is very different. i mean, in the cliffs where we
have cliffs and gorges in texas, doesn't make sense for fences and then department of interior, we need roads and to go in there and even in san diego, where we have two fences and a cameras and the motion detectors, we still have people that will jump one fence and cut through the other. which is why we have to have border patrol agents ready to go out there and not only resecure that fence but to make sure that they're actually tracking and catching those people that are coming across illegally. >> spring hill, florida, carol, good morning. >> caller: yes. good morning. first of all, i must say that i myself am an immigrant, the daughter of a world war ii war bride and sailor and foster kids for many years and i think a couple of issues overlooking. we have an immigration process not only to let people in to the country but to make sure that the people we're letting in are
people who are not going to be detrimental to this country. i've seen my father's immigration papers. my father had to promise she would not break the law, not be a burden on the country and i think we have kind of gotten away from the process of what immigration is. there's a part two to this. people who come across the border undocumented tend to live in underground communities, the children are molested. the people are, you know, the wives are beaten. but nobody calls the police because they're here illegally. so, by not containing this flow of undocumented imgrants, we're not only creating or adding to this underground society thing, but it's also dangerous to the people on this side of the country and why we have an immigration process. as far as the deadline, our government made the deadline when we threw the brits out and
declared our independence. we just need to make sure now that we can do this and i think it needs more manpower on the border, you know, to close this. and i think part of the problem could be solved if we would hire mexican officials to guard the border on the other side to make sure they didn't get that close. >> carol, thanks. >> thanks, carol. first of all, let's start with where you finished. that's proposed. i don't believe in funding another government and should work with the other government to fund securing their side of the border. there's a lot of corruption in mexico that we should be concerned with. they're having challenges with their police force and military, with dealing with all of these big drug cartels so, yes, i think they should be policing the north and south border themselves but i don't think that that would necessarily solve our problem. you know, in this bill talking
about, this new appropriation there would be more manpower pugt at the border. but yes. i agree. we have to have a rule of law and a process that fits the american public. so that we know how many people are coming in, what countries they're coming from, what specific skills are they bringing to create a greater america? and those that are already here today, yes, there's an underground to say but it is -- a real public safety issue. i talked to my sheriff in my home county all the time about the crimes that go on, that are unreported. that's why we have got to have a pathway both for a registered provisional status, the first six years and then a second provisional status and then legal permanent residence a process for back taxes and back fines paid which are important. >> all right. the hearing will come back to order. i appreciate everybody's courtesy while i got those two
votes done. and now dr. vixie we welcome your testimony. we welcome you here. please proceed. >> thank you, mr. chairman. thank you for inviting me to testify on the subject of botnets. i am speaking today in my personal capacity based on a long history of building and securing internet infrastructure, including domain name infrastructure and here at the behest of the messaging malware and mobile anti-abuse working group moog nonprofit internet association whose international membership is actively working to improve the internet security condition worldwide. let me start by reviewing some successful botnet takedowns in recent years since they may prove instructive. they're successes, after all. in 2008, the worm was discovered and by mid-2009, over 10 million infected computers participated in the botnet, the largest to
that time. i had a hands on keyboard role in operating the data collection and measurement infrastructure for the takedown team. in which competing commercial security companies most of which were members cooperated with each other to mitigate this global threat. then in 2011, the u.s. department of justice led operation ghost click, in which a criminal gang in estonia was arrested, charged with wire fraud and conspiracy. while shutting off the criminal infrastructure the victims depended on. my employer was the court-appointed receiver for the criminals interknecht
connectivity and resources. i personally prepared, installed and operated the replacement servers necessary for that takedown. in each of these examples, we seed an ad hoc public/private partnership in which trust was established and sensety information, including strategic planning was shared without any contractual framework. these takedowns were so-called handshake deals. where personal not government heft was the glue that made it work. in each case the trust relationships we had performed were key enable ers in which intent, competent and merit were the guiding lights. the important cannot be overemphasized. we have found that when a single company or agency or a nation goes it alone in a takedown action, the result has usually been catastrophe.
the ad hoc nature of these public/private partnerships may seem like cause for concern, but i hope you'll consider the following. first, this is how the internet was built and how the internet works. second, this is how criminals work with other criminals. we would not get far by trying to solve these fast evolving global problems with top-down control or through government directives and rules. as you yourself pointed out, a botnet is literally a network of robo robots, whereby "robot" we mean a computer that's been captured and made to run software neither provided by the maker or authorized or installed by its owner. it has conflict -- and so forth. the only hard and fast requirement for any of this
software is interoperability, meaning it merely has to work. the cost of the internet's spectacular growth d. sorry -- the cost is much of the software we run was not adequately tested. the challenge for the internet is perhaps there's more assurance that an ul listed toaster will not burn our house, whereas some of our devices are insulated from becoming a tool of online criminals. these are consumer devices in a competitive and fast-moving market. time to market is often the distance between success and bankruptcy. this is a very brief overview. i'd like to leave you with the following thoughts. number one, the internet is the greatest invention in recorded history, in my opinion, in terms of its positive impact on human health, freedom and on every national economy.
the interned is borderless, yet carries more of the world's commerce every year. number four, takedown of criminal infrastructure, including botnets must be approached not just as reactions after the fact, but also as prevention by attacking underlying causes. number five, the u.s. department of justice is the envy of the world in its approach to takeouts and its awareness of the technical and social subtleties involved. when i give a special nod to ncfta, a public/private partnership with strong fbi ties located in pittsburgh. number six and finally, no legislative or regulatory relief is sought in these remarks.
the manner in which government and industry have coordinated and cooperated on botnet takedown efforts have underscored the effectiveness of public/private partnerships as currently practiced in this field. mr. chairman, this concludes my oral statement. thank you for this opportunity to speak before you, and i would be happy to answer your questions. >> thank you very much. finally. before i my apologies for the mispronunciation earlier. and let me say without objection, the complete statements will be made a part of the record. i appreciate the abbreviated version that allows the testimony to proceed expeditiously at the hearing. >> thank you very much. >> i would also thank you for your leadership and focus and attention to this important topic.
my name is craig spiezle. i'm with the online trust alliance. ota is a global nonprofit to enhance online trust, and promoting the vitality of the internet. botnets pose a significant risk to governments and businesses. increasingly bots are -- ransom wear, driving identity theft, takeovers and holding users and their data hostage. it's important to recognize that fighting bots is not a domestic issue. criminals are leverages the jurisdictional limitation of the law infersment and often operation with impunity. left uninvaded they are a significant threat to our infrastructure and our economy. in my brief testimony, i will touch on five keir areas -- status of industry efforts, a holistic anti-bot strategy, the role and issues of takedowns,
the role of data sharing, and the importance of privacy safeguards. efforts to combat botnets have been arranged by a -- an example is the fcc's security and interoperability council which last year developed an antibotnet code of conduct for isps. this is a first is it eman example of the industry's ability to self-regulate. in parallel, the ota has fa silled several efforts bringing in leaders around the world. we have published specific remediation and notification best practices and anti-bot guidelines to hosts, the initial adoption of these practices are now paying dividends, helping to protect user data and their privacy. it requires a global strategy, as outlined here in exhibit a, ota advocates a five-prong framework -- prevention,
detection, notification, remediation and recovery. and within each one of these, we've outlined a partial list of tactics, which underscores the increased need for collaboration, research and data sharing between both of public and private sectors. in the bottom of this, it also points out the role of consumers and education. we need to help them update their device, and also look to how we can education them on the risks of botnets. as outlined, law enforcement is an important part as well. it serves three major functions -- during this period of timing cybercriminals and bringing criminals to justice, but law enforcement cannot act on this alone. a trusted partnership is required, and progress has been made with industry leaders, including microsoft, symantec and others. but they need to be taking into considering -- one, the risk of collateral damage, two the errors in identifying targets
for mitigation, and three, the importance of respecting users' privacy. for example, when taking down a web hoster because they have a handful of bad customers there's a risk of class real damage. at the same time, service providers cannot hide behind bad actors and they must take steps to prevent the harboring of such criminals. it's also important to note they all run similar risks. web browser can misidentify phishing sites and av solutions can mistakenly block downloads. recognizing these possibilities, risk assessments procedures must be preestablished with processes in place to remediate any unintended impact. data sharing has a promise of being one of the most impactful tools, yet must be reciprocal. collaboration is required in all sectors. in this void the privacy larned
scape is also rapidly evolving. prior sill must be the foundation of all data-sharing practices. i believe these can be easily addressed. when data is used and collected for threat detection, conversely, industry needs assurances that law enforcement will not use any data for any other purposes. as this exhibit outlines, every stakeholder has a responsibility. progress has been made, but a renewed commitment is required. as the enter net of things, mobile and the smart grid and wearable technologies become prevalent, we need to look beyond the desk stop. in summary it's important to recognize there's not absolute defense, both the public and private sectors need to increase in data sharing and adopting privacy enhanced practices, while finding new approaches to work with law enforcement and expand international
cooperation. working together, we can make the internet more trust worthy, secure and resilient. thank you, and i look forward to your questions. >> thank you very much, mr. spiezle, and thank you all. i'll ask a question of each of you for are the record, which means if you could provide a written response, an that is, as you've heard, senator grave and i are working on legislation in this area. as you heard from the first panel, the department of justice and the federal bureau of investigation have a number of suggestions, i'd like to ask you for provide your comments, if any to the suggestions, and add any suggestions you may have of your own so kell with build a good legislative report to support other proposal going forward. i'm also interested in your thoughts, as a lay person, it
strikes me that botnets are becoming more dangerous, that the capabilities are growing. my first exposure to botnets was when they were spam propagators, and then they became distributed to vectors to swamp individual web sites. but now they seem, so many additional capabilities have been listed in this hearing right up to and including having people spy you on through your web cam on your computer while you're going about your business, and tracking your keystrokes individually so that they can know your passwords and have access to your accounts, is my lay reading that botnets are becoming more dangerous or learning the -- the criminals behind them are learning more dangerous capabilities a correct one? what do you think the rate is of
that change, if i'm credit? mr. boscovich. >> i think the observation is correct. we're seeing an ever-changing sophistication on the part of cybercriminals. i would like to point out to one particular case that demonstrates how creative cyber-criminals are. in this particular case, if my memory serves me correctly, one of our industry partners was symantec on that case, a case in which the bot-herders had developed code which took a step backwards. one of the reasons they did that is because technical counter measures that had been put in place by being google and other company toss detect click fraud relied upon a certain type of algorithm. the criminals understood that, they had to reintroduce a human element into their code. in essence what they did is they've changed their code, and they took one step back to take two steps forward in such a way
that the user would be using his or her mouse. while they were clicking or looking for something, the reality was that they were in fact clicking on ads that the user was not even seeing what was appears better hind the screen that they were looking at, introducing a certain variation that was consistent with human behavior. so the observation that criminals are in fact always learning, always changing is an accurate one. i think this example really underscores how sophisticated these cybercriminals are. >> in both dimensions, as you view it as an infrastructure for criminal activity, it has to be maintained, groomed and they're getting more sophisticated at that, they are also getting more sophisticated they top of criminal payload, if you will, that they deliver through that botnet as well. is that correct, ms. mcgwire? >> that's correct. i think your summary is quite accurate, that they have begun
to progress and being more sophisticated. for example the type of infrastructure they are using now, moving from simple command-and-control servers to peer-to-peer networks. is the type of morphing that we are seeing. all avenues that -- at their availability. >> dr. viksa, you mentioned that in the face of this threat prevention was something that we should be looking at, and you used the phrase in your testimony what did you mean by underlying causes. and what would you recommend?
>> i think that the reason that botnets have gotten stronger is because our computers have gotten stronger. our network has also gotten stronger, so it's -- it is possible to get a lot more work down with each computer you, as compared to five years before that. if they want to start kicking the dependencies under botnets, we would need to somehow address the lack of testing. i mentioned in my written remarks this last week there was an -- i think it was a we're leg light babb that has a terrible security flaw in it. i understand how that can happen. i've tried to get products out my door myself. it's difficult to say, yeah, let's hold it back a couple
weeks while we try to attack it every which way. what you want to do is get it out there, put it in customers' hands and so forth. that is not going to work. we have got to find a way to test the software the way the bad guys do. we have to do the so-called red team test, where you try to break in. if you can, you get some sort of internal prize. we have to find a way to encourage that. >> so with the electricity with the new technology, people trying to get stuff out the door that caught fire if you left it on too long, as you pointed out with respect to the toaster underwriters laboratory was established to make sure appliances met the standards, have not been really a prominent concern for americans for quite some time. and how would the see it as bick
overseen? >> when you're doing this kind of testing, you're looking for combinations and perm stations of how you set the knobs the problem is that my laptop has more complexity of that time than all the computers on the planet had 30 years ago. and so coming up with a direct analog of the way ul tests our electric devices i think is misleading. i think standards in software development, standards in testing, possibly get away from some of the older programming languages that almost encourage the time of dwellings we see. >> how would those proposals be best administered?
through a rating that gets -- you can advertise you have on your product if you have been through it voluntary. >> in that set, it's perfect. it's voluntary. if you want to sell a device that's not listed, it's up to you. if fewer people want to buy it because it doesn't have that stamp, that's up to them. so i think there is room for someone to step into that role, but it's not a government role. >> gotcha. mr. spiezle, you felt there were steps that consumers, individuals could take to better acquaint themselves with this threat and better protect themselves from this threat. what would your recommendations be this seems like a high-tech
type of crime. if you're an innocent user of your own computer, doing what you're good at what sensible steps should i be -- to defend themselves? >> let me clarify. my point is we all have a shared responsibility, not unlike driving a car. we have a responsibility for driving safely. we need to make sure our car is updated. we have new tires on it. that was the point there. i think realistically, though, education has a limited effect here. these attacks are social engineering, exploits are very hard to identify, they're drive-by. just by the very nature of going to a trusted website that someone types in a url, there can be -- it's a shared responsibility, but i don't put
the faith that that's going to be the solution, but it should be one part. i do want to address one point from your original question about the sophisticate, and clearly in the technical aspect, clearly the bot masters are more and more sophisticated, but also they're more sophisticated in leveraging by data. data mining capable, so that adds to the profitability, their ability to use that data, and then in the underground economy makes it very profitable, so they become very nimble. they've become good marketers in a sense and they're learning from business. those are some of the challenges we must address. >> two final questions. the first is that many of the perpetrators in this area are foreigners. and we're obviously going to work with the department of justice and the federal bureau of investigation to make shirr that they have the capabilities that they need to be as strong
as they can be in terms of pursuing foreign criminals. but none of you are voefd as laws enforcement officials. you are involved as representing private companies and organizations. in that sense when you bring a civil action to close down a botnet, you may have civil remedies against individuals overseas that are different than what a prosecutor would be looking at. are there recommendations that you would have as to how we could strengthen overseas enforcement against the individuals and organizations that are running the botnets that could supplement just the technical capability to take down the botnets? sirchlts well, senator, i think that as a private company, as you mentioned, our main sphere of evidence is only flus the civil process. once we get default judgments,
there is a procedure in which we could seek to, for example, localize a u.s. judgment overseas, but it's a complex and lengthy process. in all of the action that is we take with our partners, we then go ahead and always refer the cases and evidence that are the basis of the information that we arrive at through the civil process to law enforcement. the pros has been around for quite some time. and i believe some representatives were here earlier today. these are procedures that have been around for a very long time. there's always been a question. i could only talk about my experiences when i was at justice, that it does take time to turn this information request around. >> the coordinating country of two minds as to how much they
want to that's why the partnership is important. what we try to focus on is the immediate cessation of the arm to the people on the internet. to sever that communication, to stop the harm, and to notify the victims, and then try to do something to remediate and clean their computers, working through isps, that's the job that we believe we can do and do very well with industry partners, and with the government as well. in terms of the criminal side, i would have to defer to my former colleagues at the justice department. >> i was thinking more of the civil side and pursuing personal liability and accountabilities foreigners who have done harm to your companies, ms. mcguire, that game over seuss, modifications to that particular malware already being used by a new criminal gang or perhaps the
original perpetrator who fled to eastern europe to launch new criminal activity. this is the kind of thing where if we had a faster, speedier inlet process we could potential address these kids of issues, as oppose to do what i have been told by law enforcement partners can take anywhere from six months to never. so those are the enhancements that we need in order to go -- >> again you're comfortable relying on the law enforcement process and at this point don't have any interest in pursuing civil liability against private companies against foreign individuals as a deterrent or to recover for the damages that they have caused you? >> most of our activity is on the shares of information and
notification to our international both law enforcement and cert partners. so they can take the action in their jurisdictions. what have each of you seen in terms of the coordination that has been your experience between the private sector and between law enforcement? it seems to me fourth quarter what i hear, to be in a pretty good place right now. there are a number of mechanisms through which -- the f-guide in particular, but other agencies cooperate with the private sector, exchange information, i would like to hear from each of you how close we are to what you think we should be doing. start from this side. >> i then we've had great success, but i think there's a whole other layer we are not getting today.
more data shares, and certain we're seat process with the sfi-sec. we get data from them. the reason this is important is it's connecting the dot. not always just from the isps and other sectors. we need to open the dialogue, but also to remove the burden of whether it's antitrust, the concerns of privacy, or the concerns of regulatory authorities coming after them. how do we open that dialogue even domestically so we can get a higher level of telemetry from other data sources. >> dr. vixie? >> i mentioned in my remarks that the internet is borderless, you mentioned in this question that the criminals are borderless. i think that firmly points to the fact that our solutions have to be borderless.
i will say ncfta in pittsburgh has a huge international outreach program. i go in there and do training of the international law enforcement community every summer, but they do it year round. it's a huge thing. a lot of the other country where cybercrime is originating right now don't have the capability to train their people logly. so i think i really want to encourage more outreach of that kind, i don't have an answer for civil lawsuits. i know that it can be used if you're trying to get at somebody and you don't know who they are, you can obvious get a court order using a john doe, but it's me messy and it hasn't produced
consistent results. >> we've seen significant improvements frankly over the last two year and our ability to work with them, their responsesives in to the information we are sharing with them, about just the process that they are using. as i think i mentioned earlier, game over zueus is the best camp so far. they reached out to over 30,000 organizations, brought all of them together so that collectively we could be ready
and work the takedown once the junctions and appropriate actions were taken. >> borderless response, to dr. vixie's comments. >> borderless response, exactly. we have a model as a proof point for the future. >> mr. boskovich. >> i think deconflict shun is one of the dee dee tails. in cases such as sit adebt, more recently a perfect example of public priefer all while stopping the harm immediately, working to help the victims, yet statement allowing the criminal side to do what they do best.
where we deconflict law enforcement to achieve the greatest impact possible in these takedowns. >> thank you very much. a final good worked to microsoft, just lawyer to lawyer, you are among the earl yes companies, probably all three of you were involvement. and just as a law, to real those early complaints and see the statutory grounds based on very modern complicated electronic privacy statutes, and at the same time doctrines of english common law that were transmitted to american when we formed or country dating back to the 100s,
side by side, it was a -- it must have been a lot of fun, terrific legal work, and it had a wonderful effect, so i compliment you on it. i assume that you would want, you know -- we're legislators, so we think about legislating everybody just like the story about the hammer. every solution that a hammer sees requires a nail. and so we tend to think in terms of new and amended statutes. but i gather you would want to make sure we left room for traditional common-law remedy toss maintain themselves as a part of the repertoire here and allow the natural development that the common law permits. is that fair to say? >> absolutely, senator. one of the beauties behind the common law system is its ability to adapt constantly to new facts. what we are looking at here is a threat which is constantly adapting.
something that is always moving, always morphing. the beauty behind common law and trespass to chattels, tortious interference, these are theories we can use over and over again and are part of a system that at its core, is able to adapt quickly. so yes, i would love to see the standard common law principles remain intact as we tackle these. now, having said that, it doesn't mean there's not always room for improvement in both present statutes and potential even new statutes. we would gladly take a look at any type of amendment and/or proposed legislation that congress and yourself may have, and give our comments so that you could have the best insight possibility from us, at least. >> certainly when they first came up upon trespass on chattels, that certainly has been a lasting doctrine. let me thank all of the witnesses for this hearing. i appreciate very much your input. i look forward to the responses
to the question for the record. i think that we have a very strong bipartisan group of senators who are very interested in this sure and are looking forward to coming up with legislation that can pass and help you in your important pursuits to protect our economy, your clients and your companies from the kind of attacks that are we are seeing largely from overseas. so god speed to you all in your work. thank you very much for what you have done and for your testimony today, and we will keep the record open for one week for anybody who cares to add anything to the record, and for the response toss come in. with that, we are adjourned.
tomorrow the house rules committee holds a hearing to consider legislation put forth by house speaker john boehner that would grant authority to begin a lawsuit against president obama for what it calls actions by the president inconsistent with his duties under the constitution of the united states. live coverage begins tomorrow morning at 10:00 eastern here on krmt span 3. we are at the henry a. wallace country life center, which is 50 miles south and west of des moines. this is the birthplace home of henry a. wallace. the wallaces of iowa consist of
three generations of wallaces. the patriarch was known as fondly as uncle henry, and he was the founder of wallace's farmer mag inn. his son henry c. wallace was u.s. secretary of agriculture under wood row wilson, and henry c's son was born on this farm in 1888. he went on to become editor of wallaces' farmer magazine. he was asked by franklin roosevelt to serve as u.s. secretary of agriculture, which he did from 1933 to 1941. he was also vice president. he is known for the agricultural adjustment act, which was the first time that farmers were asked not to produce. at first people couldn't believe the things that he was proposing
regarding that, but then as prices went up, they started to listen to him, and -- literary life of des moines iowa, saturday at noon eastern on c-span2's booktv. sunday asp at 2:00 on american history tv on c-span3. now you can keep in touch with current events from the nation's capital using any phone anythyme on audio now. every weekday listen to a recap of the day's events. you can also hear audio of the five networks beginning sundays at noon eastern. c-span radio on audionow.
202-626-8888. long distance or phone charges may apply. representative ted vo of texas, digital privacy advocates and industry representatives took part in a presentation and discussion of digital privacy laws. congressman po is a co-sponsor of legislate that would require the government to show probable cause and obtain a search warrant to access electronics communications. the cato institute hosted this event. good afternoon, welcome to the cato institute. both those of you here in the
auditorium, and those of us joining us remotely. my name is julian sanchez, a senior fellow here. and we're here to discuss the path towards digit at privacy reform. and we're not merely for the unprecedented public scrutiny on government intelligence surveillance that has emerged over the past year as a result of leaks originating with edward snowden. obvious i find in my experience speaking and writing about those issues that members of the public are shocked to discover that extraordinarily easy access to our most sensitive forms of digital information is not restricted to hyper secretive spy agencies chasing international terrorists and spies, but that smaller-scale versions of similar capabilities are enjoyed by local prosecutors
and police departments on the trail of drug dealers and tax evaders. certainly even collectively they could compete by sheer magnitude, but the explosion of surveillance is nevertheless quite staggering just to give you a taste of the scale of this that we've recently begun to become aware of, using companies who we have representatives of here today, which have voluntary begun providing transparency, google in the second half of 2013 alone fielded more than 10,000 questions for government information, more than 18,000 accounts. 4,000 of those accounts were the targets of search warrants, the rest subject to much lower standards.
only 11 of those orders were full-blown wiretap orders, a fairly high asked of evidence, higher even than an ordinary search warrant, which we do have public information about, because wiretap orders are aggregated and counted annually in a fairly detailed report. microsoft must be jell os. they fielded a immediately 5,000 requests in the same period, covering some 13,000 accounts again, as for other companies that are not von tears begun providing -- we simply have no accurate picture of the scale of government access to either the contents of people's digit at communication or equivalently sensitive metadata about their online activities. this is somewhat remarkable, because the supreme court recently held in a unanimous ruling, in riley v. california, a search of a mother-in-law cell phone, the data on that phone
would typically expos for the government far more than the exhaustive search of the house, bringing out the constitutional heavy ammunition, since the home is the traditionally most -- the court further observed showing somewhat fruitful technologies, at least, increasingly this kind of sensitive information is likely to be stored remotely as locally. that as they put it, cell phone users often may not know whether tick lawyer information is stored on the device or in the cloud. it generally makes little difference, but the court said it makes little difference to the user. under federal statute, that is to say the 1986 electronics communications privacy act, it actually makes an enormous difference. under many circumstances, the statute allowed cloud-stored contents or metadata about people's internet activities so detail to be equally invasive to
be obtained punt so peer subpoenas or other court odds with substantially lower standards. certainly court orders in several court rules in several districts, most notably the rorschach ruling have empowered major providers to insist on warrants, but it leaves with an uncertain patchwork of rules, leaving users, tech companies and law enforcement all fairly uncertainly about the scope of legitimate government authority to demand information about users. almost everyone at this point acknowledges that this state of afarce is not tenable. more than half the members have signed on as co-sponsors to legislation that would update privacy safeguards with a cloud computing era. even the justice department and fbi have effectively acknowledged that the law is out of date and amendments requires warrants for remotely stored content are appropriate.
yet nearly 30 years after the act's passage, it stalled, so today we're going to explore why that is and what we might do about it. i am very pleased to say we have with us congressman ted poe to deliver the introductory remarks. he represents the 2nd district of texas, apparently the first republican to hold that honor, came to congress from a long career in the law, including eight years as a felony prosecutors, and two decades as a harris county judge, where his wikipedia page will tell you he became famous or notorious for creative sentencing, though representative poe assures me many of those colorful stories should be marked citation needed. he's a powerful advocate with his colleague zoe lofgren, he co-sponsored the online communication and geolocation protection act.
to protect internet yours. i'm very pleased to welcome congressman ted poe. >> thank you, julian. thanks for the invitation to be here. it's good to see all y'all this afternoon. as julian mentioned in my other life, before i came to congress, i spent 30 years down at the courthouse in houston, criminal courts building which i dubbed the palace of perjury. i spent time as a prosecutor, and then as a judge, a felony court judge hearing criminal cases, everything from stealing to killing, and everything in between.
to give you a little background, back in colonial days, the british were determined to maker sure that goods brought into the united states were not smuggled, because if they were smuggled, they didn't pay the colonists didn't pay the tax that was due the king. so they had came up with an idea to search homes. and they invented this documents called the writs of assist taj, which was a flowery term for a general warrant for the british military could go into someone's residence or business and look for really anything, but primarily looking for smuggled goods where people didn't pay the tax that was due the king form this irritated the
colonists. one of the reasons is because of the writs of assistance. after the war was over, we got our independence from britain, we wrote a constitution, and came up with a few bill of rights, ten of those, that really had their founding and purpose to prevent government from intruding the right of privacy of specific individuals under the new country called the united states i have it up here on the podium. i guess if i was high tech enough, i would have it on the screen. ly read to you the fourth amendment, and you can look at it.
independent magistrate and swear out an oath, a warrant to search a specific place for a specific thing or person. that's on the back end of the fourth amendment. it has to be very specific. it has to be specific enough under our law that if the judge signed the warrant, the judge could give the warrant to a different person, and that law enforcement officer could read this warrant, know exactly where to go, know exactly what he's supposed to be seizing, and who he should be arresting if there is an arrest. that's how specific the warrants have to be today. that was the reason the fourth amendment was written the way it was written. but the purpose is to secure privacy of the individual. so let's use the hypothetical,
not specific really too specific, but it's a general hypothetical that i would like to just talk about. we have two notorious outlaws in texas. that's where i'm from. buff them is ollie oglethorpe. the other is bobby joe oglethorpe. they are bad guys, bank robbers. let's say they decide to come to washington, and they plot and scheme to rob the congressional credit union over in the longworth building. they go inside, they rob the place, they take the loot, and they make away their escape and get away. and they hide somewhere in washington, d.c. that's all we know. they're not captured. but we know probably that the two individuals are somewhere in washington. so if law enforcement decided, okay, we're going to go get
ollie oglethorpe and bobby joe oglethorpe. we know they're in washington. they would go to a judge, they would say we know they're in washington, we know they're in zip co20003. but that's all we know. we would like a warrant to go into all of the places in zip code 20003 and find bobby joe oglethorpe and his brother ollie, and most importantly get the loot. there is not a judge that would sign the warrant to allow law enforcement to go into every building and residence. we all know that's absurd. there is no way that would occur, because the residence or the place in the warrant is not specific enough to go to that location and find the oglethorpes and/or the money. that would be a general warrant.
that would be warrants that maybe the british would have imposed back in colonial days, because the fourth amendment prohibits that type of conduct. however, let's assume that the oglethorpes have spent some time on the internet discussing this criminal activity. discussing where they're going to hide, where they hid the money, and some of their other criminal enter prices. if law enforcement had probable cause to believe that occurred, then they could go to the appropriate judge and get a specific warrant and maybe go to one of these folks here and get that information their e-mails, but let's say they don't have probable cause. they just don't have enough information to convince a judge they have probable cause to believe the information is there that they're looking for. what do they do? they wait six months, and all of a sudden on six months and one
day, without the use of a warrant stating probable cause, they may seize that information without probable cause, because the law says you can. seat it. seize it. now one would think that's absurd, that just because it is six months and one day, that the warrant requirement should not be required, but that is currently the law, because the law was written too long ago to keep up with modern technology. the privacy act was written in 1986. the internet and all of our electronics knowledge and storage has changed since then. so because of that, zoe lofgren and myself and others have sponsored one piece of legislation, and there's other
pieces of legislation where members of congress have signed onto, to fix that problem and guarantee the right of privacy. if e-mails storage is over six months old, stored in the cloud somewhere. on you well, the supreme court independent of this legislation, the supreme court ruled that you have a reasonable expectation of privacy if your e-mails are stored over six months in the cloud. i don't know how they would rule. i really don't. that's why it's up to congress, has the responsibility to legally state there is an expectation of privacy, because that is the key phrase under our law and under the fourth amendment. what is the reasonable expectation of privacy of the citizen whose information or property or papers is being seized.
i don't know what the judges on the supreme court would say. and then there's others who say there should be a reasonable expectation of privacy. we can debate that issue theoretically forever, so congress must come in and say, yes, there is a legal expectation of privacy when your e-mails are stored in the cloud. go back to the situation with regular mail, now called snail mail i guess is what it's called. some of us still use snail mail. you know, of course if you're writing a letter to someone and you seal the letter, put the stamp over it, you actually give that letter to government, and government sends that letter all over the country until it finally reaches your
mother-in-law's house, but there is a general expectation of privacy in the contents of that letter. sure there are exceptions, we're not going to talk about the exceptions, but there's a general rule government cannot go into that letter and read what you're writing your mother-in-law. can't do it. well, what if the government hangs on to that letter for six months? well, does that change your reasonable expectation of privacy? probably not. and this is going to not a private company, it's going to government, has the duty to protect your right of privacy. e-mails, they're not going to the government. they're going through a server through a private enterprise, through a private corporation. that should be even more protected, not less protected than regular mail. why? because it's not in the possession of the government, it's in the possession of a private entity. but yet if government waits out
the six months, then they can seize all of that information through the cloud. i think that's a violation of the fourth amendment, and i certainly think congress should weigh in on this issue to make sure that it's a protected right under our constitution and legislatively. there are other examples. you have a safe-deposit box and you take over your birth certificates or whatever you put in a safe-deposit box. you take it to the bank and leave it there. is your right of privacy, the right that you must get the government to little a warrant to serve year safe-deposit box forfeited after six months? because it's six months old? i think not, yet for some reason, because the way the law was written in a time where all of this high technology didn't exist, the law allows for that seizure of information. not only is it seize d, the
citizen doesn't know that it's seized. they're not informed, or what was seized. going back to the search warrant requirement. now the search warrant requirements differ from state to stay, but they all require an affirmation or oath by the person who wants to do the searching. but in many warrants, criminal warrants, for example in the state of texas, those warrants are returned to the judge, and the judge gets to review what is in the return, what was seized by government. eventually those warrants can become public record, so everybody is on notice as to what was seized. plus the person that the property was seized from gets a copy of what was seized. that's how important warrants are, except in the area of receiving information through
e-mails. you not only don't know that your property e-mails were searched, you don't know what was taken. and further government keeps that information forever. gover that information in their email train of criminal activity, if you wait six months the government can seize without warrant, you will of their e-mails, not just between each other and their criminal enterprise but to whoever they were sending e-mails to or communicating with back and forth. and that third party, innocent party, let's assume, certainly doesn't know about that, my personal opinion, that's a violation of the fourth amendment right to be secure in your persons and your papers and your affects under the fourth
amendment to the constitution. the fourth amendment standard of e-mails. there's a lot o reasons. first, it puts people on notice as to what the rules should be. not wait for the supreme court or other courts to make different opinions as to whether it's lawful or unlawful. put them on notice that congress has that responsibility to do so. but, also, we have a disadvanta disadvantage. i say, american companies have somewhat the of a disadvantage because this rule, people know that this is what occurs. so other companies, other countries compete against the united states where people go to some other server. where they don't have this
problem with the right of privacy. who would have thought this nation being the the nation that's supposed to be the most democratic, freedom-loving, protects the right of people to be secure this their houses, right of privacy, would resecond the countries that don't have that issue, supposedly, but yet protect that right on their servers? that puts our american companies at a disadvantage. get a warrant. that's the bottom line. get a warrant. if you don't have probable cause to get a warrant then you can't seize the information. that's what the standard should be. it should be -- it's been that way since we enacted the fourth amendment of the u.s. constitution. and it should be that way indefinitely. some say that the constitution is archaic and it doesn't apply. i think it applies quite easily with the general rule, to get a warrant if you want to seize the information that belongs to
individuals. whether it's snail mail or e-mail or a lock box at some bank. where is this legislation going? i hope it pass this is year. it's a bipartisan piece of legislation. all of this legislation is bipartisan. it's in the house. it's also in the senate. pass the judiciary committee of the u.s. senate. a piece of legislation to protect the right of privacy, get a warrant, if the e-mails are over six months of age. i would hope, i'm on the judiciary committee. i would hope we could get this through committee and on the floor of this year. this is actually something that i think is -- will pass. it will pass the house. it will pass the senate. and in a bipartisan way. the president indicated some months ago now, that he thought there should be some echo reform as well.
so, i think that's something that ought to happen. something that ought to continue. we should continue to work on with other members of congress. and move out of the judiciary come in the house. and get a floor vote on the house bill and get a floor vote now on the senate bill as well. now, i will stop at this point and take a couple of questions and see what's on your mind or comments, if i wish. >> yes? [ inaudible ] >> it's essential for government to be doing things it shouldn't be doing. taxes thousands upon thousands of criminal statutes that it shouldn't be doing. so my question is -- is there
anything that would -- to protect -- >> i think i heard most of your question. i'll try to respond to the parts i heard and you can correct me if i didn't get it correct. but, yes. this is just one issue of government oppressiveness of citizenry. law enforcement always seems to push the envelope as to whether they can do what they're doing to get information especially on what they think is criminal conduct. based on my experience at the courthouse, based on what we've seen. they will always interpret the law to the extent that allows them to seize the information. that's why when we draft this legislation it has to be very specific so they know you can do this and you cannot do that.
but it's not just with what's stored in the cloud. you can talk about the nsa, for example. the massive amounts of data that have been seized on americans from the nsa. in violation of the patriot act. and they still have that information. we don't know all the information they have because they're not telling us what they have on individuals. i will say this. nothing wrong with national security. we have to give up rights is what we're told in the name of safety and security. now, that argument has been used by governments all. and unfortunately, people historically, whether it's a democracy or not, have been k50i7bd kind of willing to give up in
the name of hoping to get protection and safety. nsa, let me give you this one comment. we had the undersecretary of justice department before the judiciary committee. and i asked him of all of the information that has been seized by nsa, all of it, how many people have been prosecuted up on this massive seizure of information in the name of national security? do you know what he said? maybe one. so, actually, what they're saying is not making us any safer. they're not getting the information that protecteds us in the bad guys because there's only one person that's been prosecuted but they store this information on americans. i think it's wrong. i think it's a violation of privacy and it certainly was also a vice of the patriot act. that's why a week before last many of us have got on an
amendment to make it more specific on what nsa can seize and what they cannot seize. and it's it in violation of the law and the spirit of the fourth amendment. does that answer your question? >> i can probably squeeze in one more. i think we have one more. >> one problem we've had pore me decades now is we've enforcing the fourth amendment is that the only remedy provided when the fourth amendment is been violated is excluding the evidence. which means if the fourth amendment rights of an innocent person has been violated there's no remedy. and the legislation try to address that. provide some remedies to
enforce, you know with to, you know, in case -- in case those seizures that you're making illegal. in case they're made, no excludeing the evidence or so protecting innocent people. >> excellent comment. and you're exactly right. the united states has come up with of the exclue nation rule. which means if evidence is unlawfully seized on the fourth amendment in a criminal case that evidence is excluded and government may not use that evidence if a judge determined that it was unlawfully seized whether it's the fourth amendment or whether it's a confession. any unlawful. that's the remedy under our law. i think your point is well taken as we move forward on epka there has to be some other remedy besides exclusion as to what we do with that information. certainly, i think we ought to eliminate that information if it's unlawfully obtained. we need to have that debate and
that discussion. i don't know the exact answer on what it should be. but it should be something else besides if the evidence is excluded. that doesn't help the individual who is the innocent person out there. it may help bobby oglethorpe and ollie oglethorpe but it doesn't help the innocent person whose information is seized and still stored by government. good point. we need to add that into legislation before it gets out of our committee. one more question? or are we done? >> one more quick one. and then we'll move on. >> quick question. >> you have social media and things like secure portals that companies use to exchange information with each other and things like that that are all out in the cloud so what's your next step once you get the e-mail protected? >> we have to address all of those issues as well. right nowe